AccessDenied:无权执行sts:AssumeRoleWithWebIdentity [英] AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
问题描述
我环顾了类似的问题,但无法解决我的问题。我正在开发一个Web应用程序,用户将使用AWS Cognito的身份验证进行身份验证。注册部分可以,但是当我尝试登录时,出现了未授权异常。我已经尝试将自定义策略附加到我的IAM角色(授权sts:AssumeRoleWithWebIdentity),但是没有用。.现在是这样编写代码的:
I've looked around similar problems, but couldn't resolve my problem. I'm developing an web application where the user will authenticate using AWS Cognito's authentication. The sign up part is ok, but when I try to sign in, I'm getting the "not authorized" exception. I've already tried to attach custom policies to my IAM Role (authorizing sts:AssumeRoleWithWebIdentity), but didn't work.. Here is how the code is written right now:
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
var sts = new AWS.STS({apiVersion: '2011-06-15'});
var params = {
RoleArn: 'arn:aws:iam::981601120657:role/Cognito_AliceAuth_Role', /* required */
RoleSessionName: 'AliceUserSession',
WebIdentityToken: result.getIdToken().getJwtToken(),
Policy: '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Resource": "*" } ] }'
};
sts.assumeRoleWithWebIdentity(params, function (err, data) {
if (err)
console.log(err, err.stack); // ** <-- ERROR HERE
else
console.log(data); // successful response
});
//document.getElementById('authForm').submit();
},
onFailure: function (err) {
alert(err);
}
});
如您所见,我也在代码中指定了策略,但仍然得到 AccessDenied :未经授权执行sts:AssumeRoleWithWebIdentity错误。请帮助我:/
As you can see, I specified the policy in the code too, but I still get the "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity" error. Please help me :/
编辑:
在 Cognito_AliceAuth_Role中,我创建了角色策略:
AssumeRoleWithWebIdentityPolicy:
Inside the "Cognito_AliceAuth_Role" I've created the role policies: AssumeRoleWithWebIdentityPolicy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Resource": "*"
}
]
}
并且:GetFederationTokenPolicy
and: GetFederationTokenPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:e4c1833d-a62b-402a-b995-1b2513b04c02"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
推荐答案
似乎您使用的是Cognito用户池出售的Id令牌来调用假定RoleWithWebIdentity。
Seems like you are using the Id token vended by Cognito user pools to call the assumeRoleWithWebIdentity.
您首先需要将此令牌与Cognito身份联合,然后可以使用由Cognito身份出售的Open Id连接令牌来调用acceptRoleWithWebIdentity。
您也可以直接使用增强流。
You need to federate this token with Cognito identity first and you can use the Open Id connect token vended by Cognito identity to call assumeRoleWithWebIdentity. You can directly call getCredentialsForIdentity as well using Enhanced flow.
请参见此,以了解有关如何使用Cognito身份联合用户池令牌的更多信息。
See this to learn more about how to federate user pools token with Cognito identity.
这篇关于AccessDenied:无权执行sts:AssumeRoleWithWebIdentity的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
